if your domain isn’t public (domain -> ip-address, port 80 is open), you have to use dns-01 - challenge to confirm, that you are the owner of the domain. You have to create a special dns entry with a special value.

But certificates only 90 days valide, so you have to do that every 60 - 90 days. If your dns-provider doesn’t support an api, this may be painful.